USG1100 - VPN IKEV2 occasionally AUTH fail

another_user

Hello all

after my last post -->  https://businessforum.zyxel.com/discussion/4537/ssl-vpn-and-ad-group-identifier

i have upgradated to the last version V4.39(AAPK.0)  that resolve le ssl vpn group access.

However, now i have an occasionally strange bug with VPN ike.

The configuration  is the same, nothing is changed (only firmware)

AD -->  windows server 2012 R2 64

Zyxel -->  USG1100

VPN Ikev2 is configured like this tutorial  https://mysupport.zyxel.com/hc/en-us/articles/360005744000--ZyWALL-USG-How-to-set-up-a-Client-to-Site-VPN-Configuration-Payload-DHCP-connection-using-IKEv2

with AD + mschapv2 authentication

This VPN worked perfectly on firmware  4.31, now sometimes reporting (on Ike log) AUTH FAIL, this problem happens every 7-10 days  for only 20-30 minutes (the time is very strange and variable), on multiple users simultaneously, than disappears after some minutes.

The connected users before error remains connected.

The clients are windows 10 with integrated VPN.

Seems the problem concern phase 1 - mschap, like the firewall sometimes didn't check the ad server for users login.

There is a correct AAA server mschap with user domain ad group, the firewall is on active directory, but i noticed that on auth metod, mschap is  last and not present on default.

Could possibly resolve adding group ad_mschap on default method?

if you need more info just ask.

many thanks